Automated secure DNSSEC provisioning system

ABSTRACT

A system and method that maintains a secure chain of trust from domain name owner to publication by extending the trust placed in existing cryptographic identity systems to the records published in the Internet&#39;s Domain Name System (DNS) and secured by its DNS Security Extensions (DNSSEC) infrastructure. Automated validation and processing occur within a secured processing environment to capture and preserve the cryptographic security from the source request.

TECHNICAL FIELD

The present invention relates to the secure provisioning of public Internet domain name records. More particularly, the present invention relates to a secure system and method for extending the trust placed in existing cryptographic identity systems to the records published in the Internet's Domain Name System (DNS) and secured by its DNS Security Extensions (DNSSEC) infrastructure.

DESCRIPTION OF INVENTION

With the increasing reliance of the world's population on the Internet, there have been concerted efforts to secure communications over this intrinsically open and insecure resource. Specifically, robust cryptographic systems have been developed to allow Internet users to authenticate identities, encrypt communications, and protect against surreptitious modification. However, the lack of interoperability amongst them has limited their potential to solve many of the Internet's security ills.

One of the most promising approaches to overcome this are the nascent efforts to use a secured version of the Internet's global phone book (DNS+DNSSEC) to unify existing systems (and create new ones). However, the reliance of other systems on DNSSEC as a unifying infrastructure places DNSSEC key management squarely in the chain of trust afforded by any overall system, increasing the security burden on DNSSEC. In addition, the difficulty in managing and securing keying material has stifled widespread DNSSEC adoption. The present invention seeks to reduce this increased security burden and simplify provisioning and management of keying material through automation by building on existing cryptographic identify systems.

What would simplify adoption and preserve chains of trust would be an automated DNSSEC key management and provisioning system that captures the security of domain name owner and preserves the same level in published DNSSEC data.

By combining the use of existing Public Key Infrastructure (PKI) based mechanisms, trusted 3 ^(rd) party identity attestation entities (e.g. certification authorities), out-of-band initial authorization, and a secure processing environment an automated and secured system can be made available that requires nothing but standard secure email exchanges to configure.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 shows the flow of a secured request from a domain name owner on the left through to digitally signed, irrefutable, published DNS record on the right according to the present invention. Request validation and cryptographic operations are automatically performed inside the secured DNSSEC provisioning environment outlined in the box.

PREFERRED EMBODIMENT

In the preferred embodiment of the present invention, requests for additions, deletions, or modifications of a domain name's records (including the creation of the domain name itself) would be sent in the form of digitally signed e-mail (100) to a DNSSEC service provider chosen by the domain name owner to manage their domain name. The mechanisms providing this function are mature and available in nearly all computer systems (e.g. S/MIME). The cryptographic material used by the sender to sign their e-mail has been associated with the sender and attested to by a third party (104) in the form of a digital certificate which is delivered along with the signed e-mail. On reception, messages are stored (103) by the DNSSEC service provider. A server inside a secure processing environment (SPE) (105)¹ electromagnetically shielded, firewalled, and under tight access controls and audited processes, automatically reads these messages. The server then cryptographically checks (108) the integrity of their contents and follows a cryptographic chain to validate (109) the source of the message with a pre-determined list of trusted third party root certificates (106). If the message cannot be validated, it is discarded. Otherwise a chain of trust has been established between DNSSEC service provider, 3^(rd) party attester/certificate issuer (104), and domain name owner. ¹ E.g. DCID 6/9 Physical Security Standards for Sensitive Compartmented Information Facilities (SCIF), Effective 18 Nov. 2002

The server then checks (110) to see if the sender is on a pre-determined list of authorized identities (111), which may include public records such as domain name WHOIS data, for the domain to be modified. If so, the request is automatically processed by the server (113) and the updated domain name records are digitally signed using DNSSEC (114) with the domain's corresponding DNSSEC keys (115) and output to an external server outside the SPE (116) for immediate publication (107) thus completing the operation.

In the case of initial domain name creation, if the sender is authorized, the DNSSEC keys (115) are automatically generated inside the SPE server. The keys never leave the SPE in unencrypted form. 

What is claimed:
 1. An automated method for provisioning domain name records that maintains a secure chain of trust from domain name owner to published data relying on existing public key identity systems, comprising the steps of: providing for owner generating a request to add/delete/modify domain name records digitally signed by the owner's private key and accompanied by corresponding digital certificate; providing for transmission and reception of request via the public Internet; providing for cryptographic verification that the request has not been modified in transit inside Secure Processing Environment (SPE); providing for cryptographic validation of the signed request inside SPE against a pre-configured list of trusted certificates that attest to the owner's identity; providing for authorization of the request against a pre-configured list of authorized administrators for the associated domain inside SPE; providing for the processing of the request inside SPE updating domain name records; providing for the DNSSEC digital signing of the updated records inside SPE using DNSSEC private keys associated with the domain name; providing for the publication of the domain name records outside SPE;
 2. The method of claim 1, further providing that the records may contain key material for systems and purposes not related to DNS or DNSSEC;
 3. The method of claim 2, further comprising the step of creating new domain name entries if they do not exist and the deletion of existing ones if requested and authorized;
 4. The method of claim 3, further comprising the step of generating DNSSEC key material inside SPE for the domain name on initial, authorized, creation request and as needed for key updates;
 5. The method of claim 4, further comprising the step of maintain all keying material inside the physically and electronically SPE with keys never leaving SPE in unencrypted form;
 6. The method of claim 5, further comprising the step of performing initial authorization using various public records including, but not limited to, domain name WHOIS records;
 7. The method of claim 5, where SPE may be a cryptographic Hardware Security Module (HSM) for key generation, protection and use.
 8. The method of claim 5, where SPE may be a Sensitive Compartmented Information Facility (SCIF)¹; ¹ DCID 6/9 Physical Security Standards for Sensitive Compartmented Information Facilities, Effective 18 Nov. 2002
 9. The method of claim 5, further comprising the step of encrypting responses to authorized requests for sensitive material associated with a zone using the owner's public key material in the request itself;
 10. The method of claim 5, further comprising the step of accepting encrypted requests;
 11. The method of claim 5, further comprising the step of automatically registering additional DNS and DNSSEC records (e.g., “NS” and “DS” records) with entities responsible for their publication higher up in the DNS hierarchy 